DiscrimiNAT Firewall
DiscrimiNAT is a drop-in replacement for AWS NAT Gateway and GCP Cloud NAT that adds FQDN-based egress filtering without proxy configuration, CA certificates, or application changes. Deploy incrementally with zero-downtime migration and rollback to cloud NAT in under 1 minute.
Cloud-managed NAT gateways allow unrestricted outbound internet access. This creates blindspots exploited by Log4Shell, supply chain attacks, and data exfiltration.
ZERO-RISK MIGRATION PATH
- Discover: Deploy in see-thru mode alongside existing NAT (logs all FQDNs without blocking)
- Validate: Enable per-app dry-run mode (simulates enforcement without blocking)
- Rollout: Gradually shift traffic with route table changes
- Rollback: Revert to cloud NAT anytime with a single route table change (< 1 minute)
OUT-OF-BAND DNS LOOKUPS
Unlike SNI-only firewalls (including AWS Network Firewall and GCP NGFW), DiscrimiNAT performs out-of-band DNS verification. We ensure the IP address being connected to actually belongs to the claimed domain name.
SNI-only firewalls are trivially bypassed:
# Attacker spoofs SNI to allowed domain while connecting to malicious IP
curl --resolve "allowed-domain.com:443:MALICIOUS_IP" https://allowed-domain.com/
Our Wormhole DNS technology, developed over two years of research, handles CDN, elastic, and load-balanced IPs correctly with zero false positives. Get a demo for a deep-dive, or check out our comparison pages.
SIMPLE CONFIGURATION
Allowlists are defined in your existing AWS Security Groups or GCP Firewall Rules. No new UI to learn. Specify allowed FQDNs in the rule description or the Parameter Store, and the firewall handles the rest.
- Configuration lives in your Infrastructure-as-Code (Terraform, CloudFormation, CDK)
- Changes are audited via CloudTrail / Cloud Audit Logs
- Security teams can review with read-only permissions
See our 2-minute GCP or AWS video demos.
FQDN DISCOVERY
Before enforcing, discover what your applications actually need:
- Deploy in see-thru mode (monitoring only)
- Capture all outbound FQDNs per application
- Build allowlists based on actual traffic
- Enable dry-run mode to validate before blocking
This ensures the principle of least privilege without breaking applications. See our video library for the log queries to use.
COMPLIANCE READY
| Standard | How DiscrimiNAT Helps |
|---|---|
| PCI DSS 4.0 | FQDN allowlists + TLS 1.2+ enforcement |
| SOC 2 | Egress boundary protection with audit logs |
| NIST 800-53 | AC-4, SC-7, SC-8 controls |
| HIPAA | Transmission security for ePHI |
CLOUD-NATIVE LOGGING
Structured connection logs flow directly to AWS CloudWatch or GCP Cloud Logging. No agents required.
{"dhost": "www.bbc.co.uk",
"dpt": 443,
"dst": "203.0.113.9",
"proto": "tls",
"cat": "client",
"instance": "i-bar-xyz",
"src": "192.168.101.6",
"reason": "matching rule found in foo",
"outcome": "allowed",
"spt": 58412,
"proto_v": "1.3"}
See building an allowlist from scratch →
TRANSPARENT & FAST
- No proxy configuration required in applications
- No CA certificates to deploy or manage
- No TLS termination so connections remain end-to-end encrypted
If your application works through cloud NAT today, it will work through DiscrimiNAT without changes.
PRODUCT REVIEWS
Have a look at our comprehensive case studies, and product reviews at G2.
G2 ensure reviewers are verified customers. All our marketplace listings also syndicate reviews from G2.
Migration Guide FAQ Get a Demo